Securing a cardless ATM authentication through position detection

ABSTRACT

Systems and methods include a kiosk that performs an electronic payment transaction based on instructions received from a portable device of a user. The system further includes a transmitting device electrically coupled to the kiosk. The transmitting device is configured to transmit a first signal to the portable device at a first direction. The system further includes a receiving device electrically coupled to the kiosk. The receiving device is configured to receive a second signal from the portable device at a second direction. The transmitting device and receiving device are positioned such that the first and second direction enable determination of a position of the user, where the processor enables the electronic payment transaction to be processed only when the portable device is at a location relative to the kiosk. The location is disposed within a transmission path coextensive with both the first direction and the second direction.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. patent application Ser. No.16/746,619, titled “Securing a Cardless ATM Authentication throughPosition Detection,” which was filed on Jan. 17, 2020 and isincorporated herein by reference in its entirety.

BACKGROUND

An automated teller machine (ATM) enables customers of financialinstitutions to perform financial transactions, such as cashwithdrawals, deposits, transfer funds, or obtain account information. Asthe ATM operates in an automated fashion, such financial transactionsmay be generally performed at any time of day and/or any day of theweek, electronically, and without the need for direct interaction withbank staff.

Ever increasing security challenges plague ATMs, posing substantialfinancial losses and risk to financial institutions and their clients.Moreover, as financial transactions can increasingly involve mobile orother portable devices to facilitate transactions, man-in-the-middle(MitM) attacks can create additional challenges.

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

FIG. 1 illustrates a terminal system, in accordance with someembodiments.

FIG. 2 is a flow diagram of a method for providing cardless ATMauthentication, according to some embodiments.

FIG. 3 illustrates a terminal system, in accordance with an embodiment.

FIG. 4 illustrates a cardless ATM system, in accordance with anembodiment.

FIG. 5A through 5H illustrate a wireframe of a mobile device ATMfulfillment process, in accordance with an embodiment.

FIG. 6 illustrates a terminal system, in accordance with an embodiment.

DETAILED DESCRIPTION

As described above, man-in-the-middle attacks present securitychallenges. In the context of ATMs, an attacker with physical proximitycan intercept financial transactions. For example, a customer whoattempts to withdraw money from an ATM via a mobile phone applicationmay encounter another person ahead in line at the ATM. A system shouldenable the ATM to dispense cash only after ensuring that the user ispresent in front of the ATM that is authorized to dispense the cash.

Provided herein are system, apparatus, device, method and/or computerprogram product embodiments, and/or combinations and sub-combinationsthereof, for conducting ATM transactions. Many banks presently offer amobile app experience that allows account holders to conduct a varietyof transactions. For example, an account holder may use the mobile appto transfer funds from a savings account to a checking account, or paybills from their funds. Embodiments verify that the individual is infront of the ATM to avoid the man-in-the-middle attacks described above.

To verify a position of an ATM user, antennas, such as directionalantennas, may be configured to interact with a mobile device of the ATMuser. In this way, embodiments verify that the user is present in frontof the ATM that is used for the withdraw. By verifying that the user ispresent in front of the ATM, security is improved.

The modules, units, and services in the following description of theembodiments can be coupled to one another as described or as shown. Thecoupling can be direct or indirect, without or with intervening itemsbetween coupled modules, units, or services. The coupling can be byphysical contact or by communication between modules, units, orservices.

FIG. 1 illustrates a computerized financial terminal system. Asdescribed in detail below, the system permits a customer to makereal-time financial inquiries and transactions when present at theterminal system. In some embodiments, the terminal system 100 can be anATM system to transact using a secure connection. In some embodiments,terminal system 100 can be a cardless ATM system enabling the customer112 to conduct a device-based transaction.

Terminal system 100 can include a kiosk 110, a transmitter 120, a sensor125, and a receiver 130. Kiosk 110 can include one or more processors,which can be configured to perform an electronic payment transaction.Transmitter 120, the sensor 125 and receiver 130 can be connected tokiosk 110. For example, transmitter 120, the sensor 125 and receiver 130can be connected with the kiosk to provide an interface through which acustomer can associate with a bank. In one example, kiosk 110 is an ATMkiosk that can communicate with a portable device of a customer throughtransmitter 120 and receiver 130. The components and arrangement of thecomponents included in terminal system 100 may vary. Thus, terminalsystem 100 may further include other components or devices that performor assist in the performance of one or more processes consistent withthe disclosed embodiments. The components and arrangements shown in FIG.1 are not intended to limit the disclosed embodiments, as the componentsused to implement the disclosed processes and features may vary.

Transmitter 120 and receiver 130 can include directional antennaspositioned in a manner that enables a transaction to be performed bycardless ATM system when the customer is present before kiosk 110.Specifically, transmitter 120 can be electrically coupled to kiosk 110and configured to transmit a first signal to a customer's portabledevice at a first direction. In one example, transmitter 120 can bedisposed within a mat, and configured to transmit a signal in adirection perpendicular to the floor, i.e., up. Receiver 130 can also beelectrically coupled to kiosk 110 and configured to receive a secondsignal from the customer's portable device at a second direction. In oneexample, receiver 130 can be disposed overhead and receive a secondsignal from a customer's portable device situated below receiver 130. Insome embodiments, transmitter 120 and receiver 130 are positioned suchthat the first and second direction enable determination of a positionof the user.

Further, although an exemplary wall-mounted arrangement is shown, thephysical arrangement of kiosk 110 may vary and is not limited to thisarrangement. For example, kiosk 110 can be part of a terminal systemprovided in a financial institution (e.g., a bank, an office, adepartment providing financial services, etc.) or other location. Insome embodiments, an employee representing the financial institution mayassist with the inputting of information from provided by the customer.

In some embodiments, transmitter 120 includes one or more directionalantenna or beam antenna. That is, transmitter 120 includes at least anantenna that radiates or receives greater power in specific directionsallowing increased performance and reduced interference from unwantedsources. In some embodiments, transmitter 120 is configured to transmita radiofrequency (RF) signal in only one direction, within a range ofabout ten percent or less from the direction. In some embodiments,transmitter 120 can include a directional antenna with a focused, narrowradiowave beam width, such as a high-gain antenna (HGA), permitting moreprecise targeting of the radio signals. However, embodiments of thepresent invention are not limited to this configuration and dipole,low-gain antenna (LGA), or any other transmitting device can be used.

FIG. 2 is a flowchart illustrating steps of a cardless ATM customerauthentication method 200, by which an ATM system verifies andauthenticates a customer attempting to operate a terminal system 100, inaccordance with an embodiment. It is to be appreciated the process maynot execute all steps shown or in the order shown, and may executeadditional steps.

Method 200 will be described with respect to FIG. 3, which illustratesan exemplary usage of terminal system 300. FIG. 3 is for illustrativepurposes only and are not to scale. In addition, FIG. 3 may not reflectthe actual geometry of the real structures, features, or layers. Somestructures, layers, or geometries may have been deliberately augmentedor omitted for illustrative and clarity purposes.

Referring to FIG. 3, exemplary transaction authentication method 200begins with operation 205, where a transaction request is submitted by auser 305 to a financial institution. A transaction request may bepresented to a financial institution by a user, who may be a customer ofthe financial institution, by a computerized process. In an exemplaryembodiment described in greater detail with respect to FIGS. 3A through3H below, a customer can initiate a transaction request by a mobiledevice 340. For example, user 305 can initiate a transaction request towithdraw an amount of cash from the financial institution. Thetransaction request can be initiated without constraint as to thelocation. For example, the transaction request can be initiated by user305 from a home, office, financial institution, or any other location.In some embodiments, the transaction request can be initiated withoutlimitation as to the location of the kiosk from which cash will bedrawn.

As shown in FIG. 3, terminal system 300 can include a kiosk 310, atransmitter 320, and a receiver 330, which can be embodiments of kiosk110, transmitter 120 and receiver 130, respectively. Transmitter 320 andreceiver 330 can be connected to kiosk 310. For example, transmitter 320and receiver 330 can be connected with kiosk to provide an interfacethrough which a customer can associate with a bank. Kiosk 310 can be anATM kiosk that can communicate with a portable device of a customer,such as user device 340, through transmitter 320 and receiver 330. Thecomponents and arrangement of the components included in terminal system300 may vary. Thus, terminal system 300 may further include othercomponents or devices that perform or assist in the performance of oneor more processes consistent with the disclosed embodiments.

Referring to FIG. 3, exemplary transaction authentication method 200continues with operation 210, where the presence of user 305 is detectedrelative to terminal system 300. Terminal system 300 can include a kiosk310, a transmitter 320, and a receiver 330, which can be embodiments ofkiosk 110, transmitter 120 and receiver 130, respectively.

In one non-limiting example, a sensor (not shown) is configured todetect the presence of a customer. In some embodiments, the sensor canbe a piezoelectric element disposed within transmitter 320, inaccordance with the above description. In other embodiments, the sensorcan be an infrared (IR) sensor, motion detector, PIR-based motiondetector, ultrasonic sensor, passive infrared (PIR) sensor, tomographicsensor, microwave sensor, or any other sensor or combinations thereof,configured to detect the presence of a customer at terminal system 200.In still other embodiments.

Exemplary transaction authentication method 200 continues with operation215, where the detection of user 305 initiates a key generation process.A processor generates a key (e.g., first signal 322) to be used in theauthentication of user device 340 before carrying out one or morefinancial transactions. Embodiments are not limited with respect to aspecific key generation algorithm. For example, in some embodiments, asymmetric-key algorithm can be used to generate an encryption key. Insome embodiments, the encryption key can be either partially or entirelyrandomly generated using any random number generator (RNG) orpseudorandom number generator (PRNG), including known PRNGs such asYarrow, Blum, Shub, or Lagged Fibonacci generators. Additionally, keygeneration protocols can include cipher protocol, such as a blockcipher, stream cipher, linear-feedback shift register (LFSR), or anyother cipher protocol.

Transaction authentication method 200 continues with operation 220,where a first signal 322 is transmitted from transmitter 320 to userdevice 340 in a first direction (e.g., θ_(T)). First signal 322 caninclude the key generated by a key generation process, as describedabove. Transmitter 320 can include a directional antenna that isconfigured to transmit first signal 322 in a specific direction, suchthat user device 340 is only enabled to acquire first signal 322 whendisposed at a specific location relative to transmitter 320.

In some embodiments, transmitter 320 is configured to transmit an RFsignal in only one direction, within a range of about ten percent orless from the direction. In a non-limiting example, transmitter 320includes a directional antenna configured to transmit first signal 322upward, where user device 340 is only enabled to acquire first signal322 when disposed above transmitter 320. Specifically, transmitter 320can be disposed in a floor mat and include a directional antennaconfigured to transmit first signal 322. A directional antenna oftransmitter 320 is configured to transmit first signal 322 in adirection (y) orthogonal to the floor (e.g., at an angle θ_(T) that isbetween about 80° and about 100° to the floor, or between about 85° and95° to the floor, or at an angle about 90° to the floor). Thereby, userdevice 340 generally is enabled to receive first signal 222 whenpositioned over transmitter 320.

Transaction authentication method 200 continues with operation 225,where a password based on key 322 is transmitted from user device 340 assecond signal 342. Second signal 342 can be received from user device340 by receiver 330 at a second direction. In some embodiments, thesecond direction can be identical or substantially identical to thefirst direction. In other embodiments, the second direction can bedifferent from the first direction. Like transmitter 320, receiver 330can include a directional antenna that is configured to receive secondsignal 342 in a specific direction only when user device 340 disposed ata specific location relative to receiver 330.

In some embodiments, receiver 330 is configured to receive an RF signalin only one direction, within a range of about ten percent or less fromthe direction. In a non-limiting example, receiver 330 includes adirectional antenna configured to receive second signal 342 upward,where receiver 330 is enabled to receive second signal 342 primarilywhen user device 340 is situated below receiver 330. Specifically,transmitter 320 can be disposed overhead (e.g., in a ceiling or overheadstructure) and include a directional antenna configured to receivesecond signal 322. A directional antenna of receiver 330 is configuredto receive second signal 342 in a direction (y) orthogonal to theceiling (e.g., at an angle θ_(R) that is between about 80° and about100° to the ceiling, or between about 85° and 95° to the ceiling, or atan angle about 90° to the ceiling). Thereby, receiver 330 generally isenabled to receive second signal 342 when positioned over user device340.

Referring to FIG. 3, exemplary transaction authentication method 200continues with operation 230, where the password transmitted from userdevice 340 in second signal, and received by receiver 330 in operation225, is compared to a password is matched to the user's credentials. Ifthe password is verified to match the user's credentials, then the kioskauthenticates the user and enables the user to complete the financialtransaction request. For example, after verifying the password, thekiosk can perform an operation to complete the cash withdrawaltransaction that was initiated in operation 305 above. Thus, transactionauthentication method 200 enables a kiosk 310 to perform a financialtransaction initiated by user device 340 only when the user device 340is present at a location relative to the kiosk, to ensure that user 305is present. By enabling the financial transaction only when the user 305corresponding to the transaction is present in front of the ATM,financial losses and risk to financial institutions and their clientscan be reduced.

FIG. 4 illustrates a cardless ATM system 400, in accordance with anembodiment.

In an embodiment, mobile device 340 is used by an account holder of abanking institution to conduct online banking. Specifically, mobiledevice 340 will typically have a mobile application (“app”) installedthereon and usable for interacting with the banking institution forperforming banking transactions on a user account holder's accounts.

In some embodiments, mobile device 340 interacts with the bankinginstitution through a secure interface 404. Secure interface 404 canprovide facilities for securely communicating with the bankinginstitution's backend systems to conduct transactions, and also protectsthe banking institution's backend systems from improper access attempts(e.g., distributed denial of service (DDoS) attacks, injection attacks,etc.)

In an embodiment, interaction with the banking institution's backendsystems through secure interface 404 is accomplished through a varietyof micro-services provided by micro-service repository 406. For example,cardless services 408 allow mobile device 340 to interact with an ATM310 without the need to have a physical ATM card as an authenticationmechanism for the account holder.

Specifically, cardless services 408 can allow the user account holder toauthenticate themselves to the banking institution using authenticationprocedures within an app installed on mobile device 340. By way ofnon-limiting example, this may include a username and password basedlogin, biometric recognition, access key, and other authenticationmechanisms, including the use of multiple authentication mechanisms in amulti-factor authentication scheme. A skilled artisan will appreciatethat a variety of authentication mechanisms may be employed at mobiledevice 340 in order to ensure that the user is authorized to accesstheir specific account through cardless services 408.

In an embodiment, an authenticated user on mobile device 340 may requesta transaction through cardless services 408 that needs to be servicedthrough ATM 310 (such as a cash withdrawal). Since the authenticateduser is known to the banking institution as having proper access toperform the transaction, even without the use of an ATM card, cardlessservices 408 can inform ATM 310 that the authenticated user is permittedto complete the transaction at ATM 310.

In order to complete the transaction, cardless services 408 can pair thetransaction to ATM 310 to allow completion of the transaction at ATM310. And if, with pairing complete through pairing service 410, cardlessservices 408 issues a request for ATM 310 to perform a specifictransaction (e.g., providing cash to complete a cash withdrawaltransaction), the instructions can be provided through ATM middleware412 to direct the behavior of ATM 310.

In accordance with an embodiment, pairing service 410 handles pairing oftransactions from mobile device 340 with ATM 310 through the use of abarcode or other unique identifying information obtained from ATM 310and provided through mobile device 340 as confirmation. For example, ATM310 may display a barcode, such as QR code 416, on its screen. Thisbarcode includes an identifier associated with ATM 310. When mobiledevice 340 has prepared a transaction for performance through cardlessservices 408, the mobile app executing on mobile device 340 may instructthe authenticated user to visit ATM 310 to complete the transaction. Askilled artisan will recognize that, although the disclosure herein ispresented principally by way of barcodes (which include special cases ofbarcodes, such as QR codes), other forms of coding may be used in placeof barcodes to equivalent effect.

In this embodiment, upon arriving at ATM 310, the user of mobile device340 is presented with QR code 416 on the display screen of ATM 310. Themobile app executing on mobile device 340 may present the user with anoption for obtaining this QR code 416 (or other code) from the ATM 310.For example, the mobile app may access a camera feature to allow theuser to scan QR code 416 using a camera 403 built into mobile device340. The mobile device 340 sends this QR code to cardless services 408and on to pairing service 410, which recognizes the identifier for ATM310 in scanned QR code 416. Accordingly, pairing service 410 is able topair the transaction initiated from mobile device 340 with ATM 310specifically on the basis of the identifier.

In a further embodiment, QR code 416 (or other form of barcode) may beread by a barcode reader 418. Barcodes, such as QR codes, that areformed in accordance with a specific standard are commonly readable byany reader that itself conforms to the barcode standards. For example,if barcode reader 418 is capable of reading QR codes such as QR code416, then barcode reader 418 would be able to obtain raw data present inany such QR code. Accordingly, a skilled artisan would understand thatbarcode reader 418 is any form of device capable of reading a barcode(such as QR code 416) displayed on ATM 310, and may include devices suchas a handheld barcode scan tool or a mobile phone with an installedapplication capable of reading and processing the barcode.

FIGS. 5A through 5H illustrate a wireframe of a mobile device ATMfulfillment process, in accordance with an embodiment. FIG. 5A shows anexemplary home screen for a mobile app used for banking on a mobiledevice, such as mobile device 340 of FIG. 4. From this screen, a user ofthe mobile app may select a transaction that requires an ATM forfulfillment—in this case, “Get Cash at an ATM.” FIG. 5B shows anexemplary screen allowing the user to select an account from which toperform the ATM withdrawal. FIG. 5C shows an exemplary screen forselecting an amount for the ATM cash withdrawal, while FIG. 5D shows anexemplary screen for confirming details of the withdrawal (including theaccount and the amount selected).

FIG. 5E shows an exemplary screen notifying the user that thetransaction has been approved, and is ready to be completed at an ATM.This screen also provides an option allowing the user to scan a code,which, once selected, navigates to the exemplary screen of FIG. 5F. Theexemplary screen of FIG. 5F shows a camera feature allowing the user toapproach the ATM with their mobile device to scan the code (e.g., a QRcode) shown on the ATM display. And the exemplary screen of FIG. 5Hshows a confirmation screen indicating that the transaction has beencompleted by the ATM.

As discussed in the context of FIG. 4, in an embodiment pairing service410 uses an identifier for ATM 310 obtained by mobile device 340 (e.g.,by scanning QR code 416 with an embedded identifier, using camera 405 ofmobile device 340) to pair ATM 310 with the transaction provided bymobile device 340. In this embodiment, the exemplary screens of FIGS.5A-5E illustrate the process of preparing the transaction forfulfillment by ATM 310, and FIGS. 5F-5H illustrate the process ofpairing the specific ATM 310 to the transaction of mobile device 340 byscanning QR code 416 using camera 405 of mobile device 340.

Various embodiments may be implemented, for example, using one or morewell-known computer systems, such as computer system 500 shown in FIG.5. One or more computer systems 500 may be used, for example, toimplement any of the embodiments discussed herein, as well ascombinations and sub-combinations thereof.

Computer system 500 may include one or more processors (also calledcentral processing units, or CPUs), such as a processor 504. For ease ofdescription only, all scenarios will be discussed as processor 504.Processor 504 may be connected to a communication infrastructure or bus506.

Computer system 500 may also include user input/output device(s) 503,such as monitors, keyboards, pointing devices, etc., which maycommunicate with communication infrastructure 506 through userinput/output interface(s) 502.

One or more of processors 504 may be a graphics processing unit (GPU).In an embodiment, a GPU may be a processor that is a specializedelectronic circuit designed to process mathematically intensiveapplications. The GPU may have a parallel structure that is efficientfor parallel processing of large blocks of data, such as mathematicallyintensive data common to computer graphics applications, images, videos,etc.

Computer system 500 may also include a main or primary memory 508, suchas random access memory (RAM). Main memory 508 may include one or morelevels of cache. Main memory 508 may have stored therein control logic(i.e., computer software) and/or data.

Computer system 500 may also include one or more secondary storagedevices or memory 510. Secondary memory 510 may include, for example, ahard disk drive 512 and/or a removable storage device or drive 514.Removable storage drive 514 may be a floppy disk drive, a magnetic tapedrive, a compact disk drive, an optical storage device, tape backupdevice, and/or any other storage device/drive.

Removable storage drive 514 may interact with a removable storage unit518.

Removable storage unit 518 may include a computer usable or readablestorage device having stored thereon computer software (control logic)and/or data. Removable storage unit 518 may be a floppy disk, magnetictape, compact disk, DVD, optical storage disk, and/any other computerdata storage device. Removable storage drive 514 may read from and/orwrite to removable storage unit 518.

Secondary memory 510 may include other means, devices, components,instrumentalities or other approaches for allowing computer programsand/or other instructions and/or data to be accessed by computer system500. Such means, devices, components, instrumentalities or otherapproaches may include, for example, a removable storage unit 522 and aninterface 520. Examples of the removable storage unit 522 and theinterface 520 may include a program cartridge and cartridge interface(such as that found in video game devices), a removable memory chip(such as an EPROM or PROM) and associated socket, a memory stick and USBport, a memory card and associated memory card slot, and/or any otherremovable storage unit and associated interface.

Computer system 500 may further include a communication or networkinterface 524. Communication interface 524 may enable computer system500 to communicate and interact with any combination of externaldevices, external networks, external entities, etc. (individually andcollectively referenced by reference number 528). For example,communication interface 524 may allow computer system 500 to communicatewith external or remote devices 528 over communications path 526, whichmay be wired and/or wireless (or a combination thereof), and which mayinclude any combination of LANs, WANs, the Internet, etc. Control logicand/or data may be transmitted to and from computer system 500 viacommunication path 526.

Computer system 500 may also be any of a personal digital assistant(PDA), desktop workstation, laptop or notebook computer, netbook,tablet, smart phone, smart watch or other wearable, appliance, part ofthe Internet-of-Things, and/or embedded system, to name a fewnon-limiting examples, or any combination thereof.

Computer system 500 may be a client or server, accessing or hosting anyapplications and/or data through any delivery paradigm, including butnot limited to remote or distributed cloud computing solutions; local oron-premises software (“on-premise” cloud-based solutions); “as aservice” models (e.g., content as a service (CaaS), digital content as aservice (DCaaS), software as a service (SaaS), managed software as aservice (MSaaS), platform as a service (PaaS), desktop as a service(DaaS), framework as a service (FaaS), backend as a service (BaaS),mobile backend as a service (MBaaS), infrastructure as a service (IaaS),etc.); and/or a hybrid model including any combination of the foregoingexamples or other services or delivery paradigms.

Any applicable data structures, file formats, and schemas in computersystem 500 may be derived from standards including but not limited toJavaScript Object Notation (JSON), Extensible Markup Language (XML), YetAnother Markup Language (YAML), Extensible Hypertext Markup Language(XHTML), Wireless Markup Language (WML), MessagePack, XML User InterfaceLanguage (XUL), or any other functionally similar representations aloneor in combination. Alternatively, proprietary data structures, formatsor schemas may be used, either exclusively or in combination with knownor open standards.

In some embodiments, a tangible, non-transitory apparatus or article ofmanufacture comprising a tangible, non-transitory computer useable orreadable medium having control logic (software) stored thereon may alsobe referred to herein as a computer program product or program storagedevice. This includes, but is not limited to, computer system 500, mainmemory 508, secondary memory 510, and removable storage units 518 and522, as well as tangible articles of manufacture embodying anycombination of the foregoing. Such control logic, when executed by oneor more data processing devices (such as computer system 500), may causesuch data processing devices to operate as described herein.

Based on the teachings contained in this disclosure, it will be apparentto persons skilled in the relevant art(s) how to make and useembodiments of this disclosure using data processing devices, computersystems and/or computer architectures other than that shown in FIG. 5.In particular, embodiments can operate with software, hardware, and/oroperating system implementations other than those described herein.

EXAMPLES

FIG. 6 illustrates exemplary usage of a cardless ATM cardlessauthentication system 600, by which an ATM system verifies andauthenticates a customer, in accordance with an embodiment.

A financial institution can receive transaction requests independentlysubmitted by a user 601 and a user 602. For example, user 601 may submita transaction request from her home, to draw some amount of cash from anATM kiosk, while user 602 may submit a transaction request from herautomobile to perform a deposit.

Cardless ATM cardless authentication system 600 can include first kiosk610, first transmitter 620, and first receiver 630, and second kiosk611, second transmitter 621, and second receiver 631. First transmitter620 and first receiver 630 can be connected to first kiosk 610, whilesecond transmitter 621 and second receiver 631 can be connected tosecond kiosk 611. Upon arrival at kiosk 610, a sensor (not shown) candetect the presence of one or more users 601 and 602. For example, asensor in transmitter 620 can be provided to detect the presence of auser at kiosk 610. In this example, a piezoelectric element disposedwithin transmitter 620 initiates an electric signal to kiosk 610indicating the presence of user 601 standing on transmitter 620.

Based on the detection, a key can be generated by kiosk 610 fortransmission by transmitter 620 to user device 640 controlled by user601. One or more processors generates a key to be used in theauthentication of user device 640 before carrying out one or morefinancial transactions. For example, an encryption key is randomlygenerated using a PRNG such as a linear-feedback shift register (LFSR)or other cipher protocol. A signal including the key is transmitted bytransmitter 620 to user device 640 in a first direction. Transmitter 620can include a directional antenna that is configured to transmit a firstsignal in a specific direction, such that user device 640 is onlyenabled to acquire a first signal when disposed at a specific locationrelative to transmitter 620.

As described above, transmitter 620 is configured to transmit an RFsignal in only one direction, within a range of about ten percent orless from the direction. Transmitter 620 includes a directional antennaconfigured to transmit a first signal, where user device 640 is onlyenabled to acquire first signal when disposed above transmitter 620.Specifically, transmitter 620 can be disposed in a floor mat and includea directional antenna configured to transmit first signal. A directionalantenna of transmitter 620 is configured to transmit first signal in adirection (y) orthogonal to the floor (e.g., at an angle between about80° and about 100° to the floor, or between about 85° and 95° to thefloor, or at an angle about 90° to the floor). Thereby, user device 640generally is enabled to receive first signal when positioned overtransmitter 620. Transmitter 621 is similarly configured to transmitonly to a direction enabled to reach a device operated by a userstanding in front of kiosk 611 (e.g., user 602) such that user device641 generally is enabled to receive a signal transmitted by transmitter621.

User device 640 receives the key and generates a one-time-password (OTP)that is cryptographically combined with the key using a one-way functionhash function. For example, user device 640 can generate a signal basedon the key and OTP using a SHA function. The cryptographically combinedone-time-password is transmitted from user device 640 to receiver 630.Because receiver is positioned relative to the expected location of auser of kiosk 610, a directional antenna of receiver 630 is oriented toreceive signals from that expected location.

In some embodiments, an antenna of receiver 630 is configured to notreceive signals outside some threshold variance from that expectedlocation (e.g., from outside 10% of a center point of a given location).Specifically, receiver 630 includes a directional antenna configured toreceive the second signal only from a user standing in front of kiosk610. Specifically, transmitter 620 can be disposed overhead, beside, atany given orientation and include a directional antenna such that asignal can be received only from a location proximal relative to kiosk610. Thereby, receiver 630 is enabled to receive a second signal fromuser device 640.

Then, based on the OTP transmitted from user device 640 in secondsignal, and received by receiver 630, the credentials of user 601 areconfirmed enabling the user to complete the financial transactionrequest.

Likewise, user device 641 of user 602 generates a separate OTP that iscryptographically combined with a separate key received from transmitter621. The OTP is also generated using a one-way function hash function.The OTP generated by user device 641 can be transmitted to receiver 631,which is oriented to receive signals from the expected location of userdevice 641. Thereby, the credentials of user 602 are confirmed enablingthe user to complete the financial transaction request.

In this manner, cardless ATM cardless authentication system 600 isconfigured to enable a user's financial transaction to be performed onlyby an ATM kiosk where the user is present. By enabling the financialtransaction only when the corresponding user is present in front of theATM, security is improved.

A system includes a kiosk that includes a processor. The processor isconfigured to perform an electronic payment transaction based oninstructions received from a portable device of a user. The systemfurther includes a transmitting device electrically coupled to thekiosk. The transmitting device is configured to transmit a first signalto the portable device at a first direction. The system further includesa receiving device electrically coupled to the kiosk. The receivingdevice is configured to receive a second signal from the portable deviceat a second direction. The transmitting device and receiving device arepositioned such that the first and second direction enable determinationof a position of the user, where the processor enables the electronicpayment transaction to be processed only when the portable device is ata location relative to the kiosk. The location is disposed within atransmission path coextensive with both the first direction and thesecond direction.

A computer-implemented method includes receiving, by a portable device,an input from a user, the input including an instruction for anelectronic payment transaction; transmitting, by the portable device, atransaction request to a kiosk, the kiosk including one or morecomputing devices, the transaction request including the instruction forthe electronic payment transaction. The method includes receiving, bythe portable device, an encryption key from a transmitting device of thekiosk, the encryption key received from the transmitting device at afirst direction; The method further includes generating, by the portabledevice, a key response based on the encryption key. The methodadditionally includes transmitting, by the portable device, the keyresponse to a receiving device of the kiosk, the key responsetransmitted at a second direction. The receiving the encryption key fromthe first direction and the transmitting the response key at the seconddirection enable determination of a proximity of the user to the kiosk.The transmitting the response key enables the kiosk to process theelectronic payment transaction based on the proximity of the user to thekiosk.

A computer-implemented method includes receiving, by one or morecomputing devices, a transaction request from a user, the transactionrequest submitted by the user on a portable device. The method includesreceiving, from a sensor electrically coupled to the one or morecomputing devices, an initiation signal to indicate the proximity of theuser; generating, by the one or more computing devices, an encryptionkey based on the transaction request and in response to the initiationsignal. The method also includes transmitting, by a transmitting deviceelectrically coupled to the one or more computing devices, theencryption key to the portable device. The method further includesreceiving, by a receiving device electrically coupled to the one or morecomputing devices, a key response from the portable device. The methodincludes additionally authenticating, by the one or more computingdevices, the portable device based on the encryption key and the keyresponse to establish a secure binding between the portable device andthe one or more computing devices.

It is to be appreciated that the Detailed Description section, and notthe Summary and Abstract sections, is intended to be used to interpretthe claims. The Summary and Abstract sections may set forth one or morebut not all exemplary embodiments of the present invention ascontemplated by the inventor(s), and thus, are not intended to limit thepresent invention and the appended claims in any way.

The present invention has been described above with the aid offunctional building blocks illustrating the implementation of specifiedfunctions and relationships thereof. The boundaries of these functionalbuilding blocks have been arbitrarily defined herein for the convenienceof the description. Alternate boundaries can be defined so long as thespecified functions and relationships thereof are appropriatelyperformed.

The foregoing description of the specific embodiments will so fullyreveal the general nature of the invention that others can, by applyingknowledge within the skill of the art, readily modify and/or adapt forvarious applications such specific embodiments, without undueexperimentation, without departing from the general concept of thepresent invention. Therefore, such adaptations and modifications areintended to be within the meaning and range of equivalents of thedisclosed embodiments, based on the teaching and guidance presentedherein. It is to be understood that the phraseology or terminologyherein is for the purpose of description and not of limitation, suchthat the terminology or phraseology of the present specification is tobe interpreted by the skilled artisan in light of the teachings andguidance.

The breadth and scope of the present invention should not be limited byany of the above-described exemplary embodiments, but should be definedonly in accordance with the following claims and their equivalents.

The claims in the instant application are different than those of theparent application or other related applications. The Applicanttherefore rescinds any disclaimer of claim scope made in the parentapplication or any predecessor application in relation to the instantapplication. The Examiner is therefore advised that any such previousdisclaimer and the cited references that it was made to avoid, may needto be revisited. Further, the Examiner is also reminded that anydisclaimer made in the instant application should not be read into oragainst the parent application.

What is claimed is:
 1. A system comprising: a kiosk comprising aprocessor configured to perform an electronic payment transaction basedon instructions received from a portable device of a user; atransmitting device communicatively coupled to the kiosk, thetransmitting device configured to transmit, in a first direction, afirst signal to the portable device; and a receiving devicecommunicatively coupled to the kiosk, the receiving device configured toreceive a second signal transmitted from the portable device in a seconddirection, wherein the transmitting device and receiving device arepositioned to enable the kiosk, by the processor, to triangulate aposition of the portable device, wherein the processor enables theelectronic payment transaction to be processed only when the portabledevice is disposed at a position coextensive with both the firstdirection and the second direction.
 2. The system of claim 1, whereinthe transmitting device transmits the first signal based on aninstruction received from the kiosk.
 3. The system of claim 1, whereinthe receiving device is disposed over the transmitting device in adirection extending linearly with the first direction and the seconddirection.
 4. The system of claim 1, wherein the transmitting dicecomprises a base member, a directional antenna electrically coupled tothe kiosk, and a sensor electrically coupled to the kiosk and configuredto detect a presence of the user.
 5. The system of claim 1, wherein: thekiosk, based on an initiation signal received from the transmittingdevice, generates an encryption key, the transmitting device, based onan instruction received from the kiosk, transmits the first signal, thefirst signal comprising the encryption key, and the processor, based onthe second signal received from the portable device, establishes asecure binding between the kiosk and the portable device, the securebinding enabling processing of the electronic payment transaction. 6.The system of claim 5, wherein the processor determines, based on thereceiving the second signal whether the user is in proximity of thekiosk, and, when the user is in proximity of the kiosk, authorizes theelectronic payment transaction.
 7. The system of claim 5, wherein thetransmitting device is configured to transmit the first signal, by adirectional antenna, to the portable device disposed over thedirectional antenna.
 8. A computer-implemented method comprising:transmitting an instruction for an electronic payment transaction to akiosk, the kiosk comprising one or more computing devices; receiving, bya portable device, a first signal from a first direction from atransmitting device communicatively coupled to the kiosk; andtransmitting, by the portable device, a second signal to a receivingdevice communicatively coupled to the kiosk, the second signaltransmitted in a second direction, wherein the transmitting device andreceiving device are positioned to enable the kiosk, by the processor,to triangulate a position of the portable device, wherein the processorenables the electronic payment transaction to be processed only when theportable device is disposed at a position coextensive with both thefirst direction and the second direction.
 9. The computer-implementedmethod of claim 8, further comprising generating, after receiving thefirst signal by the portable device, the second signal comprising aresponse key to enable the kiosk to perform a two-factor authenticationof the portable device.
 10. The computer-implemented method of claim 8,further comprising generating, after receiving the first signal by theportable device, the second signal comprising a response key comprisinga one-time password (OTP) based on information associated with a user.11. The computer-implemented method of claim 8, further comprising:generating an image signal associated with the instruction; andtransmitting the image signal scanned to a camera of the kiosk, whereinthe transmitting the image signal enables the kiosk to transmit thefirst signal comprising an encryption key.
 12. The computer-implementedmethod of claim 8, wherein: the receiving the first signal comprisesreceiving an encryption key transmitted from a directional antenna ofthe transmitting device from the first direction, the transmitting thesecond signal comprises transmitting a response key in the seconddirection, and the first direction and the second direction enable thekiosk to triangulate a position of a user.
 13. A computer-implementedmethod comprising: receiving, by one or more computing devices, atransaction request from a user, the transaction request submitted bythe user on a portable device; receiving, from a sensor electricallycoupled to the one or more computing devices, an initiation signal toindicate a proximity of the user; generating, by the one or morecomputing devices, an encryption key based on the transaction requestand in response to the initiation signal; transmitting, in a firstdirection by a transmitting device electrically coupled to the one ormore computing devices, the encryption key to the portable device;receiving, at a second direction by a receiving device electricallycoupled to the one or more computing devices, a key response from theportable device, wherein the transmitting device and receiving deviceare positioned to enable triangulation of a position of the portabledevice; and authenticating, by the one or more computing devices, theportable device based on the encryption key and the key response toestablish a secure binding between the portable device and the one ormore computing devices, wherein the processor enables an electronicpayment transaction to be processed only when the portable device isdisposed within a transmission path coextensive with both the firstdirection and the second direction.
 14. The computer-implemented methodof claim 13, further comprising prestaging, by a mobile application ofthe portable device, the transaction request to be submitted to the oneor more computing devices.
 15. The computer-implemented method of claim13, further comprising scanning, by the one or more computing devices,an image signal presented by the portable device and associated with thetransaction request.
 16. The computer-implemented method of claim 15,wherein the image signal presented by the portable device and associatedwith the transaction request comprises a bar code.
 17. Thecomputer-implemented method of claim 13, further comprising authorizing,by the one or more computing devices, the transaction request based onthe authenticating of the portable device, wherein the portable deviceis determined to be associated with the transaction request.
 18. Thecomputer-implemented method of claim 13, wherein the authenticationcomprises performing a two-factor authentication with informationassociated with the user.
 19. The computer-implemented method of claim18, wherein the authentication comprises generating a one-time password(OTP) based on the information associated with the user.